声明
本文章中所有内容仅供学习交流使用,不用于其他任何目的,抓包内容、敏感网址、数据接口等均已做脱敏处理,严禁用于商业用途和非法用途,否则由此产生的一切后果均与作者无关!
分析图
启动流程在这里,发起xml进去加密地方。根据true/false生成在url后面还是请求头里面。
加密文件
大部分关键代码
!(() => {
"use strict";
const $toString = Function.toString;
const myFunction_toString_symbol = Symbol('('.concat('', ')_', (Math.random() + '').toString(36)));
const myToString = function () {
return typeof this == 'function' && this[myFunction_toString_symbol] || $toString.call(this);
};
function set_native(func, key, value) {
Object.defineProperty(func, key, {
"enumerable": false,
"configurable": true,
"writable": true,
"value": value
})
};
delete Function.prototype['toString']; //删除原型链上的toString
set_native(Function.prototype, "toString", myToString); //自己定义个getter方法
set_native(Function.prototype.toString, myFunction_toString_symbol, "function toString() { [native code] }"); //套个娃 保护一下我们定义的toString 否则就暴露了
this.func_set_natvie = (func) => {
set_native(func, myFunction_toString_symbol, `function ${myFunction_toString_symbol, func.name || ''}() { [native code] }`);
}; //导出函数到globalThis
}).call(this);
const XMLHttpRequest = require('xhr2');
Window = function Window() {
throw new TypeError('Illegal constructor')
};
this.func_set_natvie(Window);
Window.prototype.PERSISTENT = 1
Window.prototype.TEMPORARY = 0
Navigator = function Navigator() {
throw new TypeError('Illegal constructor')
};
this.func_set_natvie(Navigator);
window = global
Object.defineProperties(Window.prototype, {
[Symbol.toStringTag]: {
value: 'Window',
configurable: true
}
})
Object.defineProperties(Navigator.prototype, {
[Symbol.toStringTag]: {
value: 'Navigator',
configurable: true
}
})
window.__proto__ = Window.prototype
window.DataView = function DataView() {
console.log('window.DataView', arguments)
};
this.func_set_natvie(DataView);
window.Notification = function Notification() {
console.log('window.Notification', arguments)
};
this.func_set_natvie(Notification);
location ={
}
screen = {}
screen.width = 0
screen.height = 0
screen.availHeight = 0
screen.availWidth = 0
screen.orientation = {
}
screen.pixelDepth = 24
screen.colorDepth = 24
window.XMLHttpRequest = function XMLHttpRequest() {
console.log('window.XMLHttpRequest'.arguments)
return {
open: function open() {
},
send: function send() {
}
}
}
window.MouseEvent = function MouseEvent() {
console.log('window.MouseEvent'.arguments)
}
window.scroll = function scroll() {
console.log('window.scroll'.arguments)
}
window.scrollBy = function scrollBy() {
console.log('window.scrollBy'.arguments)
}
window.scrollBy = function scrollBy() {
console.log('window.scrollBy'.arguments)
}
window.WebGLRenderingContext = function WebGLRenderingContext() {
console.log('window.WebGLRenderingContext'.arguments)
}
window.H5guardCount = 1
window.wPaths = []
window.xhrHook = true
window.fetchHook = true
window.xhrHooked = true
window.xhrHook = true
window.xhrHooked = true
window.onbeforeinstallprompt = null
window.onhashchange = null
window.ondevicemotion = null
window.ondeviceorientation = null
window.ondeviceorientationabsolute = null
setInterval = function () {
}
setTimeout = function () {
}
Navigator.toString = function toString() {
return 'function Navigator() { [native code] }'
};
this.func_set_natvie(Navigator.toString);
navigator = {}
navigator.__proto__ = Navigator.prototype
window.self = window
window.top = window
window.localStorage ={}
window.document = {}
document.createEvent = function createEvent(type) {
console.log('document.createEvent', arguments)
}
document.cookie = {}
document.documentElement = {
appendChild: function appendChild() {
console.log('appendChild')
},
removeChild: function removeChild() {
console.log('removeChild')
},
clientHeight: 760,
clientWidth: 150,
scrollTop: function scrollTop() {
}
}
window.sessionStorage = {}
window.localStorage.clear = function clear() {
var temp = Object.keys(this)
for (var i = 0; i < temp.length; i++) {
delete this[temp[i]];
}
};
window.sessionStorage.clear = function clear() {
var temp = Object.keys(this)
for (var i = 0; i < temp.length; i++) {
delete this[temp[i]];
}
};
window.localStorage.getItem = function getItem(key) {
return this[key]
};
window.sessionStorage.getItem = function getItem(key) {
return this[key]
};
window.localStorage.key = function key(index) {
return Object.keys(this)[index]
};
window.sessionStorage.key = function key(index) {
return Object.keys(this)[index]
};
window.localStorage.removeItem = function removeItem(key) {
delete this[key]
};
window.sessionStorage.removeItem = function removeItem(key) {
delete this[key]
};
window.localStorage.setItem = function setItem(key, value) {
this[key] = value
};
window.sessionStorage.setItem = function setItem(key, value) {
this[key] = value
};
window.fetchHooked = true
window.wDomains =[
]
window.name = ''
window.indexedDB = {}
window._phantom = undefined
window.phantom = undefined
window.callPhantom = undefined
navigator.plugins = [{name: "PDF Viewer"}, {name: "Chrome PDF Viewer"}, {name: "Chromium PDF Viewer"},
{name: "Microsoft Edge PDF Viewer"}, {name: "WebKit built-in PDF"}]
oph = Object.prototype.hasOwnProperty
Object.prototype.hasOwnProperty = function hasOwnProperty(val) {
if (val === 'webdriver') {
return false
}
return oph.apply(this, arguments)
document.body = {
appendChild: function appendChild() {
},
removeChild: function removeChild() {
},
scrollTop: 0
}
window.AudioContext = function AudioContext() {
console.log('window.AudioContext', arguments)
}
window.status = ''
window.frameElement = null
window.onsearch = null
window.external = {}
window.styleMedia = {type: "screen"}
window.isSecureContext = true
window.getSelection = function getSelection() {
return {
anchorOffset: 0,
baseOffset: 0,
extentOffset: 0,
focusOffset: 0,
isCollapsed: true,
rangeCount: 0,
type: "None",
}
}
window.find = function find() {
console.log("window.find", arguments)
}
window.dispatchEvent = function dispatchEvent() {
console.log("window.dispatchEvent ", arguments)
}
window.postMessage = function postMessage() {
console.log("window.postMessage", arguments)
}
window.removeEventListener = function removeEventListener() {
console.log("window.removeEventListener", arguments)
}
document.removeEventListener = function removeEventListener(val1, val2) {
console.log("document.removeEventListener", arguments)
}
window.addEventListener = function addEventListener(val1, val2, val3) {
console.log("window.addEventListener", arguments)
// val2()
}
window.PointerEvent = function PointerEvent() {
console.log('windo.wPointerEvent', arguments)
}
document.addEventListener = function addEventListener(val1, val2, val3) {
}
window.createImageBitmap = function createImageBitmap() {
console.log("window.createImageBitmap", arguments)
}
navigator.sendBeacon = function sendBeacon() {
console.log('navigator.sendBeacon', arguments)
}
navigator.javaEnabled = function javaEnabled() {
console.log('navigator.javaEnabled', arguments)
}
navigator.vibrate = function vibrate() {
console.log('navigator.vibrate', arguments)
}
navigator.userActivation = {
hasBeenActive: true,
isActive: false
}
navigator.mediaSession = {
playbackState: "none"
}
navigator.clipboard = {}
navigator.credentials = {}
navigator.keyboard = {}
navigator.locks = {}
navigator.mediaCapabilities = {}
navigator.onLine = true
navigator.serviceWorker = {}
navigator.storage = {}
navigator.presentation = {}
navigator.bluetooth = {}
navigator.usb = {}
结果
总结
1.出于安全考虑,本章未提供完整流程,调试环节省略较多,只提供大致思路,具体细节要你自己还原,相信你也能调试出来。